WPCode Lite < 2.0.9 - Arbitrary Log File Deletion via CSRF

Vulnerability

The WPCode WordPress plugin prior to version 2.0.9 contains a cross-site request forgery (CSRF) vulnerability in its log deletion functionality. The plugin fails to validate the nonce when deleting logs and does not ensure that the file to be deleted resides within the expected log folder, allowing deletion of arbitrary files under the web server's user context [1]. Affected versions are all versions before 2.0.9.

Exploitation

An attacker must first identify a user who has the wpcode_activate_snippets capability and then craft a malicious link or cross-site request that triggers the log deletion endpoint. The attacker does not need authentication but must trick the authenticated user into performing a request, such as by visiting a malicious website or clicking a crafted link. The lack of CSRF protection and path validation means the attacker can specify any writable log file path for deletion [1].

Impact

Successful exploitation allows the attacker to delete arbitrary log files on the server, potentially removing evidence of other attacks or files that could disrupt service. The attacker does not gain the ability to read or modify files, only deletion, and the operation is performed under the privileges of the targeted user. The scope is limited to file deletion, not remote code execution or privilege escalation.

Mitigation

The vulnerability is fixed in version 2.0.9 of the WPCode plugin, released on 2023-04-03 [1]. Users should update to at least this version. No other workarounds have been publicly disclosed. The plugin is not known to be listed in CISA's Known Exploited Vulnerabilities catalog.